By Carolyn Crandall
This week Attivo Networks announced the release of the new ThreatDefend™ Detection and Response Platform. It represents the next generation of distributed deception solutions and has been built to outmaneuver modern-day attackers that are anticipating detection technology as a security control. In addition, the solution offers expanded integration partnerships, forensic attack analysis, and response automation.
As deception technology experiences greater attention and adoption, attackers will seek to detect its presence and circumvent basic detection techniques. The Attivo ThreatDefend Platform is designed to deceive and captivate the most sophisticated of attackers, even those who may be anticipating deception-based defenses.
Earlier and less mature forms of deception technology are designed with traps that rely predominantly on the element of surprise and do not take extensive measures to operate or authenticate as a genuine production asset. The Attivo Networks next generation deception technology goes well beyond simple emulations and low to medium interaction decoys seen in other solutions in the market. Attivo transforms the customer’s computer environment into a high interaction “hall of mirrors” that authenticates and runs the same operating systems and software as genuine production assets, and dynamically refreshes or re-spins after engagement to evade attacker fingerprinting.
The release of this next generation ThreatDefend Deception and Response Platform retains the element of surprise while adding features based on advanced deception techniques, adaptations for the environment, predictive vulnerability assessment, and automations that simplify the isolation and eradication of threats within the network.”
Customers can start with our base detection capabilities and expand the ThreatDefend platform as their business requires it. For example, customers seeking visibility into exposed attack paths may add ThreatPath and may also choose to accelerate incident handling by adding ThreatOps for creating playbooks for automated response.
The new advances in the Attivo ThreatDefend platform technology fall into six categories that are designed to derail even the most sophisticated attacker, throughout the various phases of an attack.
- Comprehensive – Combining network and endpoint detection creates the highest efficacy of early detection coverage for advanced threats and their credential-based attacks and lateral movement. Deception placed at both the end-point and inside the network efficiently detect threats across all vectors including advanced, stolen credentials, Man-in-the-Middle, ransomware, phishing, and insider threats. These advanced threats often evade traditional perimeter-based systems, including deception solutions that rely on endpoint deception alone.
- Magnetic –Attivo creates a camouflage of deceptions that provides advanced luring techniques designed to attract and draw in attackers. These attractive decoys and lures, unbeknownst to the attacker, efficiently lure the attacker into engaging with the deception environment, thereby stalling their attack and revealing their methods and presence. Deceptions are applied in decoys and on production end-points and servers with “bait” appearing identical to real user credentials, documents, mapped drives, and other information of interest. Decoys are high-interaction, run the same real operating systems and services as the production environment, and provide directory authentication to pass attacker verifications.
- Dynamic– Attivo Networks employs machine learning to automate the creation, deployment, and updating of decoys and lures to maintain their credibility and attractiveness to attackers. High-interaction techniques are also applied to keep attackers engaged, thereby slowing down the pace of their attack, and to avoid the spread of malware while providing time to isolate and analyze the attack. For example, Attivo Labs researched WannaCry ransomware attacks and found that its high-interaction engagement techniques successfully slowed down the attack process by 25X that of a standard drive under attack
- Scalable– The ThreatStrike Endpoint Suite is agentless for easy deployment and operates without the need for additional processing power or patching. The solution can also be easily integrated with endpoint vendor solutions from vendors like ForeScout or McAfee. Attivo’s environmentally adaptive platform easily scales to provide in-network threat detection for a wide variety of environments (user networks, data centers, cloud, ROBO) and efficiently addresses challenging detection issues ranging from the use of emerging IOT and open source technology, legacy systems, employee behavior (phishing, watering hole, software updates), and detection in specialty environments (ICS-SCADA, POS, SWIFT, VOIP).
- Predictive– Through its ThreatPath™ attack path vulnerability assessment, network visibility, and attack time-lapsed replay, Attivo provides visibility into the attacker’s most likely points of entry and vectors of lateral movement. This information can be used to strengthen overall defenses and shut down potential paths for a successful attack.
- Responsive– Through the ThreatOps solution, Attivo provides extensive 3rd party integrations for simplified incident response and the rapid remediation of emerging threats. Aligned with a customer’s existing security policies and processes, these automations remove the typical attacker time advantage and provide customers with valuable incremental time to respond. The solution operates by leveraging attack information gathered and analyzed by BOTsink® engagement servers, memory forensics, and data from an organization’s security assets to automate the correlation of attack data and create repeatable playbooks for automated incident handling.
Collectively, these advancements in the ThreatDefend platform are game-changers for companies seeking to defend against advanced attackers by outmaneuvering the attacker and requiring the attacker to be right 100% of the time to avoid detection. In addition, customers gain the ability to slow down an attack and turn the time advantage back in their favor to fortify their defenses.
Highly effective security solutions can never afford to be static. The ThreatDefend platform is dynamic and stays one step ahead of attackers who may be looking for deception as a security control. It is one more example of how Attivo is leading the deception technology space with innovative solutions designed to keep one step ahead of attackers.